Testing
If you've enabled root
login via ssh, you should be able to login in the Docker container using the published 2222
ssh port:
❯ ssh [email protected] -p 2222
Authenticated with partial success.
[email protected] password:
You should see the Authenticated with partial success text, which means that the authentication against the public key succeeded.
Now, you must enter the user's password and, without hitting enter. Long-touch the Yubikey until a newline is entered automatically.
If you consider the password foobar
for the root
user, the actual password that will get sent is:
[email protected] password: foobarcccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
libpam-yubico
will remove the characters pertaining to the OTP, send it to YubiCloud, and upon success forward the remaining characters to the next PAM module (in this case, pam_unix.so
) validate the user password.
After 2-3s, you should be logged in! Now, exit and login with foobar
. Attempt to escalate privileges by doing su root
and you will see that the Yubikey for the root
user will be required (the same principle applies - first enter the password followed by the long-touch on the Yubikey).
As you may have noticed that during SSH, there are actually three factors involved, not two - public key authentication, password and Yubikey OTP. This is actually a limitation of OpenSSH, as public key authentication plus Yubikey OTP without requiring the user's UNIX password is not possible at the moment.